Program your application to send three Set-Cookie headers to approved viewers. You need
three Set-Cookie headers because each Set-Cookie header can contain only one
name-value pair, and a CloudFront signed cookie requires three name-value pairs.
The name-value pairs are:
CloudFront-Policy, CloudFront-Signature, and
CloudFront-Key-Pair-Id. The values must be present on the viewer before a user makes the
first request for a file that you want to control access to.

Note

In general, we recommend that you exclude Expires and Max-Age attributes.
This causes the browser to delete the cookie when the user closes the browser,
which reduces the
possibility of someone getting unauthorized access to your content. For more
information, see Preventing Misuse of Signed Cookies.

The domain name for the requested file. If you don't specify a Domain
attribute, the default value is the domain name in the URL, and it applies
only to the
specified domain name, not to subdomains. If you specify a Domain attribute, it
also applies to subdomains. A leading dot in the domain name (for example,
Domain=.example.com) is optional. In addition, if you specify a
Domain attribute, the domain name in the URL and the value of the
Domain attribute must match.

You can specify the domain name that CloudFront assigned to your distribution, for
example,
d111111abcdef8.cloudfront.net, but you can't specify *.cloudfront.net for
the domain
name.

The path for the requested file. If you don't specify a Path attribute, the
default value is the path in the URL.

Secure

Requires that the viewer encrypt cookies before sending a request. We recommend that
you
send the Set-Cookie header over an HTTPS connection to ensure that the cookie
attributes are protected from man-in-the-middle attacks.

HttpOnly

Requires that the viewer send the cookie only in HTTP or HTTPS requests.

The policy statement controls the access that a signed cookie grants to a user: the
files
that the user can access, an expiration date and time, an optional date and
time that the URL
becomes valid, and an optional IP address or range of IP addresses that are
allowed to access
the file.

The ID for an active CloudFront key pair, for example, APKA9ONS7QCOWEXAMPLE. The CloudFront
key pair ID
tells CloudFront which public key to use to validate the signed cookie. CloudFront
compares the
information in the signature with the information in the policy statement
to verify that the
URL has not been tampered with.

The key pair ID that you include in CloudFront signed cookies must be associated with
an AWS
account that is one of the trusted signers for the applicable cache behavior.

If you make a key pair inactive while rotating CloudFront key pairs, you must update
your
application to use a new active key pair for one of your trusted signers.
For more information
about rotating key pairs, see Rotating CloudFront Key Pairs.

Example Set-Cookie headers for one signed cookie when you're using the domain name that is
associated with your distribution in the URLs for your files:

If you omit the Resource parameter, users can access all of the files
associated with any distribution that is associated with the key pair that
you use to
create the signed URL.

You can specify only one value for Resource.

Note the following:

Protocol – The value must begin with
http:// or https://.

Query string parameters – If you have no
query string parameters, omit the question mark.

Wildcards – You can use the wildcard
character that matches zero or more characters (*) or the wild-card character
that
matches exactly one character (?) anywhere in the string. For example,
the
value:

Alternate domain names – If you specify an
alternate domain name (CNAME) in the URL, you must specify the alternate
domain name
when referencing the file in your web page or application. Do not specify
the Amazon S3 URL
for the file.

DateLessThan

The expiration date and time for the URL in Unix time format (in seconds) and Coordinated
Universal Time (UTC). Do not enclose the value in quotation marks.

For example, March 16, 2015 10:00 am UTC converts to 1426500000 in Unix time format.

An optional start date and time for the URL in Unix time format (in seconds) and Coordinated
Universal Time (UTC). Users are not allowed to access the file before the
specified date and
time. Do not enclose the value in quotation marks.

IpAddress (Optional)

The IP address of the client making the GET request. Note the following:

To allow any IP address to access the file, omit the IpAddress
parameter.

You can specify either one IP address or one IP address range. For example, you
can't set the policy to allow access if the client's IP address is in one
of two
separate ranges.

Example Policy Statements
for a Signed Cookie That Uses a Custom Policy

The following example policy statements show how to control access to a specific file,
all of the files in a
directory, or all of the files associated with a key pair ID. The examples also
show how to control access
from an individual IP address or a range of IP addresses, and how to prevent
users from using the signed
cookie after a specified date and time.

If you copy and paste any of these examples, remove any whitespace (including tabs
and newline characters),
replace the applicable values with your own values, and include a newline character
after the closing brace
( } ).

Example
Policy Statement: Accessing One File from a Range of IP Addresses

The following example custom policy in a signed cookie specifies that a user can access
the file
http://d111111abcdef8.cloudfront.net/game_download.zip from IP addresses in the range
192.0.2.0/24 until January 1, 2013 10:00 am UTC:

Example
Policy Statement: Accessing All Files in a Directory from a Range of IP Addresses

The following example custom policy allows you to create signed cookies for any file
in the
training directory, as indicated by the * wildcard character in the Resource
parameter. Users can access the file from an IP address in the range 192.0.2.0/24 until
January 1, 2013 10:00 am UTC:

Each signed cookie in which you use this policy includes a base URL that identifies
a specific file, for
example:

http://d111111abcdef8.cloudfront.net/training/orientation.pdf

Example Policy
Statement: Accessing All Files Associated with a Key Pair ID from One IP Address

The following sample custom policy allows you to set signed cookies for any file associated
with any
distribution, as indicated by the * wildcard character in the Resource parameter. The user
must use the IP address 192.0.2.10/32. (The value 192.0.2.10/32 in CIDR notation
refers to a single IP address, 192.0.2.10.) The files are available only from January 1, 2013
10:00 am UTC until January 2, 2013 10:00 am UTC: